Hi,
We're thinking about replacing our CheckPoint Firewall-1 by pfSense. We
are using only those features on Firewall-1 (R65):
- Security (default deny on everything)
- NAT (inbound (for internet-facing hosts) and outbound (selective,
workstations go out through a proxy, other selected hosts are NAT'd
based on destination host and port(s))
- We do have some security rules defined in their SmartDefense, but it
is a nightmare to configure without having many false positives. I'm
pretty sure we could go without or simply add Snort to pfSense
We had a project of roaming users VPN but it's on the ice right now. We
are using SSH tunnels to connect home user's PC to the corporate network
and we will need a solution for the few corporate laptops to connect to
the corporate network. However, I guess that with all the options
available in pfSense regarding VPN, I don't think this would be a problem.
Reasons to switch to pfSense:
- Our Firewall-1 version is not supported anymore so we have to upgrade
anyway
- Service contracts are a lot cheaper
- We would have to pay extra $$ for a redundant setup (CARP pfSense is free)
- It is a platform that I know and I like open-source software
- It is "officially supported" on vmware (Well, I guess, with a service
contract)
- Server load balancing can be used for simple HA setups
- DHCP server on the firewall (no need for DHCP relay)
- Other interesting packages
We are thinking about running a redundant (CARP) setup with one pfSense
on our VMWare cluster, and one on a physical, separate machine.
Concerns:
1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does
seem to manage NAT Reflexion perfectly.
2- Ease to migrate the configuration to pfSense - I would set a pfSense
VM in parallel and start migrating all the rules manually, but I'm
scared about missing some or seeing a situation where the Firewall-1 can
do it and not pfSense.
3- Backups. Are automated backups (of the config, at least) possible
even w/o a service contract?
Can people share their experience with this kind of scenario?
Don't hesitate if you need more info.
Thanks,
Ugo
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
